The NSA just made the case for a policy layer in front of MCP
The NSA published 17 pages on MCP security. We map every recommendation to where enforcement actually happens: the call path between agent and tool.
// TAG
Mcp
48 posts
MCP Authentication: Securing How Agents and Servers Connect
MCP ships no auth model of its own. Here is how MCP authentication actually works, where it breaks across a fleet, and how to fix it at the gateway.
MCP Authorization: Scoping What Agents Are Allowed to Do
Authentication proves who is calling. MCP authorization decides what they can do. Here is how to add per-tool, per-argument limits to AI agents.
MCP OAuth: Connecting Agents to Protected Servers
MCP's OAuth flow lets agents reach protected servers without static keys. Here is how MCP OAuth works, where it gets messy across a fleet, and how to manage it.
MCP Gateway: What It Is and Why Agent Fleets Need One
An MCP gateway sits in front of every MCP server and evaluates each tool call before it runs. Here is what it does, how it works, and when you need one.
AI Agent Containment Starts at the Environment Layer
Anthropic showed model defences can't stand alone: Claude leaked secrets 24 of 25 times under injection. Why AI agent containment belongs at the environment layer.
Stop Your GitHub MCP Agent From Force-Pushing to main
Branch-level Deny if rules and protected-repo allowlists for the GitHub MCP server. Stop autonomous agents force-pushing to main or deleting your repos.
Blocking Outbound Exfiltration Through MCP Fetch and HTTP Tools
Stop autonomous agents POSTing your data to attacker domains. PolicyLayer's URL allowlists turn MCP fetch and HTTP tools into deterministic one-way readers.
Cap LLM Token Spend on MCP Agents: Cost-Scaled Limits Beyond Call Counts
Stop autonomous agents from burning through your inference budget. PolicyLayer's cost-scaled limits cap LLM tokens, not just tool calls, on every MCP server.
Namespace-Scope Your Kubernetes MCP Server From Production
Lock your AI agent's kubectl access to dev and staging namespaces. PolicyLayer adds a second wall on top of Kubernetes RBAC and audits every blocked call.
Rotate MCP Credentials Across 30 Developers in One Click
Stop chasing 30 developers to update MCP configs on every key rotation. Centralised credentials behind the gateway, labelled Grant tokens, one update.
Sandbox Your Shell-Exec MCP Server With Command Allowlists
Stop your agent running rm -rf through a third-party shell-exec MCP server. PolicyLayer Require and Deny if rules give you a two-layer command allowlist.
Slack MCP Channel Allowlists: Stopping Agents Posting to #general
Lock your Slack MCP server to specific channels and strip destructive tools from the MCP handshake. Practical Require, Deny if, and Hide policy walkthrough.
Tool-Result Injection: The MCP Attack System Prompts Miss
A concrete walkthrough of indirect prompt injection delivered via MCP tool responses. The attack, the model's reasoning, and the policy that stops it.
System Prompts vs. Transport Firewalls: Why System Prompts Do Not Equal Security
Discover why system prompts fail as a security boundary for AI agents, and how transport-level MCP proxies provide deterministic guardrails.
How to Safely Connect Claude Code to High-Risk Upstream MCP Servers
Learn how to use PolicyLayer's hosted proxy gateway to secure Claude Code tool usage, inspect JSON-RPC arguments, and set up policy boundaries on upstream MCP servers.
Microsoft AGT Proved Deterministic Enforcement. Where the Next Problem Starts.
Microsoft's Agent Governance Toolkit shipped the cleanest validation of deterministic policy enforcement in agent security: 26.67% violations under prompt-only safety, 0% under AGT. AGT governs one runtime. The harder problem is governance across many.
Runtime Governance Belongs at the Transport Layer
Oracle has named the category: runtime governance for agentic AI. Their framework is right; their architectural assumption is wrong for most teams. PolicyLayer enforces the same five pillars at the MCP boundary.
Anthropic's MCP Playbook Is for Builders. Defenders Need the Next Layer.
Anthropic published the production playbook for MCP: 300M SDK downloads, thin tools over 2,500 endpoints, OAuth vaults. The playbook stops at the tool call. Argument-level policy is what comes next.
MCP Governance Is Table Stakes. What Comes Next?
Cloudflare's enterprise MCP launch solves discovery, access, and shadow-MCP prevention. That's the baseline. The harder question — what agents are allowed to do once they're inside — needs a different primitive.
Microsoft's Agent Governance Toolkit: 9 Packages, MCP-Blind
Microsoft's open-source toolkit: nine packages for agent policy, identity, and compliance. Review of what works — and the MCP-shaped hole teams must bridge themselves.
How to Safely Run AI Agents With Tool Access in Production
A 10-point checklist for deploying AI agents that call APIs, move money, and modify databases. Covers deny-by-default, spend limits, rate limiting, and approval workflows.
What Is MCP Policy Enforcement (And Why Every Agent Needs It)
MCP policy enforcement intercepts every AI agent tool call and evaluates it against deterministic rules before execution. Here's how it works and how to set it up.
Why Prompt Guardrails Fail for AI Agent Safety (And What Works Instead)
System prompts can't enforce spending limits or prevent destructive operations. Here's why prompt guardrails fail for tool-calling AI agents and what works instead.
Bain Says Every Agentic Platform Needs a Policy Layer. We Built One.
Bain & Company's agentic AI architecture framework calls for centralised policy enforcement across MCP tool calls. Intercept is the open-source implementation.
X Just Shipped an MCP Server. It Exposes 131 Tools With Zero Access Control.
X released an official MCP server with 131 tools — including posting, DMs, follows, and deletes. Here's why that's a problem and how to enforce policies on it.
Intercept Now Enforces Budgets on Paid MCP Tools
MPP lets agents spend money autonomously. Intercept is the first MCP proxy that reads the actual price from the server and enforces YAML-defined budgets before any payment leaves the wallet.
We Scanned Popular Open Source MCP Configs. Here's What We Found.
Cloudflare, Stripe, Supabase, Sentry, Firebase — we ran PolicyLayer's scan against real .mcp.json files from well-known repos. Most expose destructive tools with zero policy enforcement.
The Agent Control Problem Only Becomes Big in One World
Most teams will wrap their own dangerous tools. The real market for agent control only gets large if agents become dynamic consumers of external services the team did not fully pre-wrap.
30 MCP CVEs in 60 Days. Most Fixes Are Solving the Wrong Problem.
Security researchers filed 30+ CVEs against MCP servers in early 2026. Patching individual servers doesn't fix the structural gap. The real fix is a policy layer that works across all of them.
The Academic Case for Deterministic AI Agent Enforcement
A new research paper argues that LLMs cannot self-enforce security constraints. Intercept implements every recommendation — as open-source software you can deploy today.
One Tool Call Away From a $10,000 AWS Bill
The AWS MCP server exposes 55 tools for EC2, S3, Lambda, and RDS. Here's how to block destructive operations and rate limit resource creation.
Your AI Agent Can Delete Your DNS Records
The Cloudflare MCP server gives AI agents access to DNS changes, worker deployments, and zone management. Here's how to block deletions and rate limit infrastructure changes.
Your AI Agent Can Delete Every Container on Your Machine
The Docker MCP server gives AI agents access to container removal, image deletion, and volume destruction. Here's how to block destructive operations.
Your Coding Agent Can Delete Any File on Disk
The filesystem MCP server gives AI agents unrestricted read and write access. Here's how to rate limit file operations and prevent destructive mistakes.
Your AI Agent Has Push Access to Every Repo
The GitHub MCP server exposes 83 tools — including file deletion, repo creation, and PR merges. Here's how to enforce policies before your agent ships something it shouldn't.
Your AI Agent Can Send Emails as You
The Gmail MCP server gives AI agents access to send emails, delete messages in bulk, and manage your inbox. Here's how to rate limit sends and block batch operations.
Your AI Agent Can Run DROP TABLE on Production
The PostgreSQL MCP server exposes a raw SQL query tool with no restrictions. Here's how to rate limit queries before your agent drops a table.
One FLUSHALL Away From Losing Everything
The Redis MCP server lets AI agents run SET, DELETE, and FLUSHALL. Here's how to block destructive commands and rate limit writes.
Preventing Your AI Agent From Messaging #general
The Slack MCP server lets AI agents post messages, reply to threads, and add reactions. Here's how to rate limit messaging before your agent spams your workspace.
Secure Your Stripe MCP Server: Rate Limits and Spending Controls
The Stripe MCP server exposes 27 tools to AI agents — refunds, charges, payment links. Add rate limits and spending caps before something goes wrong.
What Happens When Your AI Agent Goes Rogue
What happens when your AI agent goes rogue? Six failure modes — runaway loops, spending spirals, destructive ops — and the deterministic policies that stop them.
Why AI Agent Policies Must Be Deterministic, Not Probabilistic
LLMs can't reliably self-enforce safety rules. Deterministic policy enforcement outside the model catches what prompts miss — here's the architecture.
MCP Security: Why Prompt Guardrails Aren't Enough
Prompt guardrails for MCP agents are bypassable and unauditable. Why deterministic policy enforcement at the transport layer is the real security primitive.
How to Rate Limit MCP Tool Calls (With YAML Policy Examples)
Add per-tool and global rate limits to any MCP server in under 5 minutes. Copy-paste YAML policies for counters, wildcards, and stateful tracking.
How to Add Spending Controls to Any MCP Agent
A step-by-step guide to adding transaction limits, daily spend caps, and currency restrictions to MCP-connected AI agents using YAML policies and the Intercept proxy.
One Command to Policy-Enforced Agents: Introducing the CLI Init Tool and MCP Server
npx @policylayer/mcp init takes you from zero to policy-enforced AI agent in under a minute. Browser auth, guided setup, and MCP tools your agent discovers automatically.
How to Add Spending Controls to Any MCP Agent
MCP servers are giving AI agents access to wallets, bridges, and DeFi. Here's how to enforce spending limits on any MCP-powered agent in under five minutes.